Electronic systems and circuits have made a significant contribution towards the advancement of modem society and are utilized in a number of applications to achieve advantageous results. Numerous electronic technologies such as digital computers, calculators, audio devices, video equipment, and telephone systems have facilitated increased productivity and reduced costs in analyzing and communicating data, ideas and trends in most areas of business, science, education and entertainment. Frequently, electronic systems designed to provide these advantageous results are realized through the use of networked resources that facilitate leveraged use of centralized utility and data resources by distributed components. While the leveraged utilization of the centralized resources is advantageous, organization and maintenance of the centralized resources is usually very complex and often susceptible to the spread of detrimental intrusive attacks.
Centralizing certain resources within a distributed network typically provides desirable benefits. For example, centrally storing and/or processing information typically reduces wasteful duplicative storage and/or processing resources at each remote networked system. In addition to increasing efficiency, the functions provided and supported by centralized resources typically have significant economic value. The ever increasing demand for centralized type services is largely attributable to the ever growing cost of specialized information technology services and the increasing complexity of managing mission critical Enterprise and Internet applications. Interruptions in services and support for important applications implemented by the centralized resources due to intrusive attacks can be very costly. In supporting desirable flexibility and extensibility, centralizing resources can involve handling diverse applications, architectures and topologies (e.g., associated with a multi-vendor environment). Managing the infrastructure of a large and complicated centralized networked resource environment and protecting the resources from intrusive attacks raises many challenging operational issues.
Providing security for important centralized network assets is usually very important and also often complex. Offering ubiquitous access to a diverse set of centralized resources introduces challenges associated with protecting the centralized resources from intrusive attacks (e.g., that can detrimentally affect service quality). Modem networks can be very extensive and typically include numerous potential points of attack for intrusion. If an attack is able to “infiltrate” or overcome security measures at a particular point there is often an opportunity for the attack to spread rapidly and relatively unimpeded throughout a network. The devices in a network can be configured or associated to provide functionality and/or service for a variety of applications. Attacks directed to a single device or aspect of a network can be very harmful. The spread of the attack or intrusion throughout a network internally to impact applications implemented on and/or supported by the network can be devastating.
Intrusion attempts directed towards centralized resources are usually initially directed at penetrating from a single point or device and then to spread from that device to other devices in a centralized resource network or “internal” network. Traditional intrusion protection systems typically focus on preventing the initial breach of an individual component from devices outside internal networks. For example, a host intrusion detection system (HIDS) usually tries to detect intrusion on a host and a network intrusion detection system (NIDS) usually tries to detect intrusions directed at traffic on a network segment. While traditional intrusion protection often provides an initial line of defense or intrusion protection, breaching individual component security measures often occurs at an undesirable rate.
The most significant damage resulting from an intrusive attack on a component of a network usually occurs as a result of an intrusive attack spreading throughout the network. For example, an attack may be initially directed towards a relatively unimportant and/or unprotected component of a network. In and of itself the initial attack on a “weak” component may have little or no practical affect on the performance and functionality of the components in supporting various applications and systems, including important applications and systems. This may even be a reason for not expending security protection resources to protect the component. However, if the attack spreads from the “weak” component to a more critical component (e.g., a component that provides significant functionality for supporting important applications and systems), it could have a very significant affect on crucial performance and functional support. Even if significant resources are expended to protect the important component from attacks outside the network, they are essentially wasted if the component is susceptible to attacks from other components within the network. This is a significant consideration since once an initial breach is made, attacks typically spread in traditional systems and networks with little or no opposition.
Identifying devices in a centralized resource network or internal network that support important applications and are relatively more susceptible to attack internally is often complicated. Traditional attempts at preventing the spread of an attack usually involves manual coordination and analysis of individual alarms and potential impact on other devices in a system. Prior attempts at stopping the spread of an attack are usually laborious and often requires a significant level of knowledge and expertise on the priority of different applications and the functionality particular network components contribute to the applications. The complexity of a network and the numerous different applications and/or systems that rely on a component can also increase susceptibility to flaws associated with human error, which tends to increase when attempting to identify the important and susceptible internal centralized resources during an intrusive attack.
In addition to detecting the potential for an intrusion attempt to spread, it is usually desirable to implement corrective action. Traditional attempts at responding to spreading of intrusive attacks from one component to another are also usually resource intensive and laborious. Understanding the possible appropriate corrective mechanisms to implement an effective prevention strategy and the impact of the attacks and/or corrective measures on applications is complex and traditionally a difficult endeavor. The fundamental manual approach of traditional systems is relatively slow compared to typical attack spread rates, which often permits the attack to penetrate more components and systems before a corrective action can be taken.